“Download this app and win a mobile phone,” reads post that tries to trick users into downloading fake Huawei app
Android users should watch out for new deworming malware that spreads through WhatsApp and trick potential victims into downloading an app from a website masquerading as Google Play. ESET malware researcher Lukas Stefanko took a look under the hood of this Android villain.
“This malware is spread through the victim’s WhatsApp, automatically responding to any WhatsApp message notification with a link to a fake and malicious Huawei Mobile app,” Stefanko said. The malware, which was first reported by the Twitter user @ReBensk, appears to be primarily intended to generate fraudulent advertising revenue for its operators.
Worm Android WhatsApp?
Malware is spread through victim’s WhatsApp by automatically responding to any WhatsApp message notification received with a link to the malicious Huawei Mobile app.
The message is only sent once per hour to the same contact.
It appears to be adware or subscription scam. https://t.co/NYbh2A9Y6M pic.twitter.com/2tFgLyG94O
– Lukas Stefanko (@LukasStefanko) January 21, 2021
To install the malicious app, users are asked to allow the installation of apps from places other than the official Google Play Store, removing a key – and enabled by default – security precaution on Android devices.
Once the installation process is complete, the app requests a number of permissions, including access to notifications, which in combination with Android’s direct response feature is used to achieve deworming.
“By combining these two features, the malware can effectively respond with a personalized message to any WhatsApp notification message received,” Stefanko said. The malware then runs in the background until it retrieves a response from the server while waiting for a WhatsApp notification message which is then used to distribute the malicious link to the victim’s contacts.
The malicious app also asks for other permissions, including drawing over other apps, which allows it to overlap with all other apps running on the device, and bypass battery optimization, which which allows it to run in the background and prevents the system from killing it off even if it starts to deplete the device’s power and resources.
“The worm spreads via messages to WhatsApp contacts only when the last message the victim received was sent over an hour ago,” Stefanko explained, adding that he believes this is done so as not to arouse suspicion among the victim’s contacts, since receiving a link in response to each message can trigger the alarm.
RELATED READING: Scam Impersonates WhatsApp, Offers ‘Free Internet’
Currently, the app appears to be primarily used in an adware or subscription scam campaign, although it can be used to do worse. “This malware could potentially spread more dangerous threats since the message text and the link to the malicious application are received from the attacker’s server. It could just distribute banking Trojans, ransomware, or spyware, ”Stefanko said.
To protect yourself, the best solution would be to avoid clicking on suspicious links, only downloading apps from Google Play, and using a reputable security solution.